Determining When to Modify Security Policy

Article
02/04/2013

Important
In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to the .NET Framework 4 and later versions. For more information about this and other changes, see Security Changes in the .NET Framework 4.

In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to the .NET Framework 4 and later versions. For more information about this and other changes, see Security Changes in the .NET Framework 4.

You do not necessarily need to modify the default security settings. For many situations, the default security settings provide an adequate level of protection. Code that does not originate from the local computer (and is therefore likely to be less trustworthy) receives restricted access to protected resources under the default security policy. Code originating from the Internet and local intranet is restricted in the following ways:

Code that originates from the Internet or local intranet does not have permission to read or write to a local drive.
Code that originates from the Internet or local intranet does not have permission to read or write to the system registry.
Code that originates from the Internet or local intranet can communicate with the Web site of origin.
Code that originates from the local intranet has unrestricted access to UI elements, but code originating from the Internet only has access to sub windows and the Clipboard.

The default security policy is adequate for most, but not all, situations. You should consider modifying security policy when:

You want to trust an application that requires more permission than the zone from which it originates receives by default.
You use applications from a particular publisher that you completely trust and want these applications to have access to specific resources no matter where they are executed.
You want applications on the local computer to have less than full trust. For example, you are an enterprise administrator and you want to prevent users from installing and running untrusted applications.

If you decide to edit policy, you must make sure that you do not decrease permission to applications to the point that they will not function properly.

Determining When to Modify Security Policy

See Also

Tasks

Concepts

Other Resources

Additional resources